Sophie Saul: Should security managers be worried at the moment?
Maximilian Munker: This clearly depends on the existing maturity level of the company and how proactively it is already prepared for threats. In the past, only the global players and large companies were attacked, as this is where the returns were greatest. Within the last three years, this has also happened massively in the SME segment. The decisive factor for a good IT security strategy is the combination of technical and organisational protective measures for the company.
So the technical aspects are an important element in protecting against attacks?
Yes, many of the current technologies serve to minimise risk. Technologies such as employee identity protection, data classification, endpoint detection & response or vulnerability management are good ways to minimise the attack surface.
But technology alone is not enough, is it?
Correct. These measures must always be accompanied by organisational frameworks. The best technical setup is of little help if there is no framework of responsibilities, regular checks or countermeasures in the company.
Often, the motto "a lot helps a lot" seems to apply, but at the end of the day, there are no adequate controls or even resources to detect and quickly deal with anomalies. We have various standards, so-called frameworks, such as international security frameworks (ISO 27001, NIST or CIS) or internal Information Security Management Systems (ISMS), which provide cornerstones for the implementation and planning of these multi-layered and complex tasks.
Subsequently, these management systems must be anchored in the organisation through guidelines and process descriptions so that the company and the employees have a defined framework for action for all eventualities.
That sounds like a good basis. So does that leave humans as the biggest security risk?
I can agree with this statement. We are not only talking about the classic end user who falls for credential phishing attacks despite repeated security awareness training, but also about the employees who configure hardware and software. There may be no budget in the company for continuous vulnerability scans to detect or eliminate vulnerabilities or insecure configurations. A good example is also the entry and exit processes of employees. If there is no established process for creating and demitting user identities, employees who leave the company can continue to access systems and data with their credentials, even if their tenure has expired.
Thus, IT security remains a complex interplay of organisation, i.e. processes and guidelines, people who have specific awareness and technologies to identify and minimise risks and to protect themselves.
Is there a perfect procedure to cover yourself as well as possible?
Above all, it is important to know one's own maturity level as well as the strengths and weaknesses of the company. Cyber security assessments, for example, can evaluate and assess all relevant disciplines of a framework. Clients receive a final report in which all these weaknesses are processed and prioritised according to severity. In this way, we also provide our clients with a strategy to quickly close the most critical security gaps.
On the organisational level, various means are available to prepare for critical situations. In principle, you can't go wrong with the standards mentioned above. These pragmatically attempt to transfer urgent topics such as backup & restore, disaster recovery, business continuity management and many other areas into a control structure. Through this, the organisation ends up with a fully functioning system of technical infrastructure, organisational processes and control functions to ensure that all disciplines are handled properly.
And once everything is in place, what happens next?
Unfortunately, the current challenges and risks cannot be seen as a project with a final completion date, as the threat situation is constantly changing. Every day, several hundred thousand vulnerabilities and malware are added. Thus, security is more like a modern marathon or decathlon, as all these tasks to protect the company must be integrated into the daily business processes. The existing IT security strategy and the technical components must also be regularly reviewed and adapted in order to achieve maximum security. The use of the frameworks also provides a control framework: This also relies on proactive review of all risk factors.
Isn't it frustrating to constantly see and react to new methods of attack?
Sometimes you feel like Don Quixote tilting at windmills (laughs). Certainly, the topic is challenging, but by using basic protection mechanisms such as identity protection, monitoring vulnerabilities and regular patching, many topics are already covered. Nevertheless, one should act on the basis of a framework and regularly control all eventualities through the internal ISMS. With these tools, you have the right equipment to face the current risk landscape appropriately.
And now one last question, Max. What can companies do if they want to be well secured and still focus on their core tasks instead of security issues?
One way is to transfer risk to an external service provider or even move critical services to the cloud. In this way, resource bottlenecks and missing competences could simply be supplemented without having to build them up within the company. Finally, there are also some technologies that can significantly relieve the internal IT by proactively taking protective measures and identifying anomalies in advance, such as EDR /XDR, SIEM, SOC.
Short CV Maximilian Munker:
After completing his Master's degree in Strategy, Technology and Management at the Danube University Krems, Maximilian gained extensive security experience at renowned consulting companies. At Bechtle Schweiz AG, he manages projects in the areas of IT security, data protection, Microsoft technologies and the implementation and realisation of international frameworks such as ISO 27001 or CIS. He is particularly interested in the daily changing challenges in different customer situations, as there are a wide variety of requirements in the area of IT security.
